[SRU][J][PATCH 0/2] CVE-2024-47691 and CVE-2024-53218

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Mon Oct 27 21:19:53 UTC 2025 

https://ubuntu.com/security/CVE-2024-47691
https://ubuntu.com/security/CVE-2024-53218

[ Impact ]

CVE-2024-47691
 
  f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()
   
  The root cause is below race condition, it may cause use-after-free
  issue in sbi->gc_th pointer.

  - remount
   - f2fs_remount
    - f2fs_stop_gc_thread
     - kfree(gc_th)
  				- f2fs_ioc_shutdown
				 - f2fs_do_shutdown
				  - f2fs_stop_gc_thread
				   - kthread_stop(gc_th->f2fs_gc_task)
     : sbi->gc_thread = NULL;

  We will call f2fs_do_shutdown() in two paths:
  - for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore
    for fixing.
  - for f2fs_shutdown() path, it's safe since caller has already grabbed
    sb->s_umount semaphore.

CVE-2024-53218
  
  f2fs: fix race in concurrent f2fs_stop_gc_thread

  The root cause is a race condition in f2fs_stop_gc_thread() called from
  different f2fs shutdown paths:

    [CPU0]                       [CPU1]
    ----------------------       -----------------------
    f2fs_stop_gc_thread          f2fs_stop_gc_thread
                                   gc_th = sbi->gc_thread
      gc_th = sbi->gc_thread
      kfree(gc_th)
      sbi->gc_thread = NULL
                                   < gc_th != NULL >
                                   kthread_stop(gc_th->f2fs_gc_task) //UAF

  The commit c7f114d864ac ("f2fs: fix to avoid use-after-free in
  f2fs_stop_gc_thread()") attempted to fix this issue by using a read
  semaphore to prevent races between shutdown and remount threads, but
  it fails to prevent all race conditions.

  Fix it by converting to write lock of s_umount in f2fs_do_shutdown().

[ Fix ]

Backport from upstream the fix commits:
- c7f114d864ac f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()
- 7b0033dbc483 f2fs: fix race in concurrent f2fs_stop_gc_thread

[ Test Plan ]

Compile and boot tested.

Stress tested a f2fs partition:
```
$ sudo parted -s /dev/vdb mklabel gpt
$ sudo parted -s /dev/vdb mkpart primary 0% 100%
$ sudo mkfs.f2fs -l test /dev/vdb1
$ sudo mkdir /mnt/test
$ sudo mount -t f2fs /dev/vdb1 /mnt/test/
$ cd /mnt/test/
$ sudo stress-ng --class filesystem --sequential 4 --timeout 15s --aggressive --metrics-brief
```

Tested issuing multiple shudown ioctls in parallel:
```
for i in $(seq 1 10); do
	f2fs_io shutdown 0 /mnt/temp/test.txt &
done
```

[ Regression Potential ]

The fix serialized concurrent shutdowns and remount paths by taking
sbi->s_umount for write around GC thread teardown, ensuring only one
caller can observe amd operate on sbi->gc_thread at a time.
An issue with this patch could change how long remount and shutdown
take, making certain fs commands block longer or timeout. Under heavy
load an issue may also reveal lock-order bugs.

Chao Yu (1):
  f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()

Long Li (1):
  f2fs: fix race in concurrent f2fs_stop_gc_thread

 fs/f2fs/file.c | 8 ++++++++
 1 file changed, 8 insertions(+)

-- 
2.51.0

More information about the kernel-team mailing list